bradcathey made a very wise question... And deep inside he knows the answer to the question he has asked

Yikes, I'm storing their CC# when told them I wouldn't.

Then by all means, don't. You already have a very nice setup going on... You're using strong crypto to protect the credit card. What you need to store in your database, is a random secret indexed with the key you already have.

Then you use this random secret as the key to encrypt the CC number, as you already described, and return this encripted credit card number back to the browser.

By doing this, you won't be storing the CC number (your customer will), and you will be protecting the CC number within the cookie jar of your customer's browser.

The returned cookie can be set to expire in a reasonable time, just as the secret in the database.